Grid Computing at NERSC: Certificates

Table of Contents:

• How to obtain a grid certificate for use at NERSC
• Storing your grid certificate on a MyProxy server

How to obtain a grid certificate for use at NERSC

In order to use grid tools, users need to obtain and install user certificates. The DOE Grids web pages provide all the necessary details for the application and installation process.

The basic steps in this process are:

• Import DOEGrids CA certificates into your browser
• Request a user certificate
• Retrieve the certificate via your web browser
• Export the certificate into a pkcs12 (.p12) file
• Convert the exported file into a Globus usercert/key pair

In order to login to NERSC with your grid certificate, you will first need to register your certificate information with the NIM web interface, so that this can be propagated to the grid-mapfile on the host systems.

• Login to NIM, and click on the "Grid Certificates" tab.
• Click on the "Add existing Grid Certificate to NIM" link.
• Enter the appropriate information for the "Cert Subject" and "Cert Issuer" fields. You can get this information as follows:
  • Make sure you have your certificate/key pair installed in $HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem on a system that has Globus installed (such as DaVinci or PDSF).
  • Load the globus module

      % module load globus

  • Get the Cert Subject:

      % grid-cert-info -subject 

    which yields something like:

      /DC=org/DC=doegrids/OU=People/CN=Alfred E. Newman 123456 

  • Get the Cert Issuer:

      % grid-cert-info -issuer 

    which yields:

      /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 

• Make sure you enter the above fields in the exact format as that returned by the "grid-cert-info -subject" and "grid-cert-info -issuer" commands.
• Click on "Add Certificate"
• It will take up to 2 hours for the certificate to be approved and propagated to the various systems. You should receive confirmation when this has happened. You can now use your grid certificate to login to NERSC systems.

Storing Your certificate on a MyProxy server

NERSC provides a MyProxy service to conveniently store and access your grid certificate from multiple systems.

Instead of creating local copies of your usercert.pem and userkey.pem files on all the systems you wish to use, you can simply store a certificate on our myproxy server (myproxy.nersc.gov), and then access this proxy certificate (also called a delegated proxy credential) from any other machine without having to make local copies of your original certificate.

To store your proxy certificate, issue this command from a machine that has your original certificate key pair:

% myproxy-init -s myproxy.nersc.gov

Your identity: /DC=org/DC=doegrids/OU=People/CN=Joe User 123456
Enter GRID pass phrase for this identity:
Creating proxy ............................................Done
Proxy Verify OK
Your proxy is valid until: Tue Jul 24 13:47:44 2007
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user joeuser now exists on myproxy.nersc.gov.

The above process stores a proxy certificate that is valid for 7 days on the myproxy.nersc.gov server under your default username. Other useful options include:

To download a proxy certificate for use, enter the following:

% myproxy-logon -s myproxy.nersc.gov -l joeuser

Enter MyProxy pass phrase:
A credential has been received for user joeuser in /tmp/x509up_u1234.

In all the examples describing grid access, you can substitute the grid-proxy-init command with myproxy-logon. Instead of generating a proxy from a local certificate, it will download a proxy certificate from the myproxy server, but the end result is exactly the same.